SQL injection from request data in Slick SQL string in Play

Critical Risk sql-injection

scalaplay-frameworkslicksql-injectionrequest-data

What it is

SQL injection vulnerability where user-controlled input is interpolated or concatenated into raw Slick SQL (sql"..." or overrideSql) without safe parameter binding or proper handling of identifiers, potentially allowing attackers to expose or modify database data, run unauthorized queries, and compromise application integrity and confidentiality.

Language:

Example:

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Request data is directly interpolated into Slick sql"..." queries without parameter binding.

Root causes

String Interpolation in Slick Raw SQL

Request data is directly interpolated into Slick sql"..." queries without parameter binding.

Missing Slick Parameter Binding

Failing to use Slick's parameter binding system with bound parameters in raw SQL.

Fixes

Use Slick Parameter Binding

Replace string interpolation with Slick's parameter binding system in raw SQL.

View implementation

sql"SELECT * FROM users WHERE id = $userId".as[User] with bound parameters

Use Slick Lifted Embedding

Prefer Slick's type-safe lifted embedding over raw SQL when possible.

View implementation

users.filter(_.id === userId) instead of raw SQL with interpolation

Validate Request Data

Implement comprehensive validation for all request data before database operations.

View implementation

Use Play Form validation and custom constraints to ensure data integrity

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from request data in slick sql string in play and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

SQL injection from request data in Slick SQL string in Play

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

String Interpolation in Slick Raw SQL

Missing Slick Parameter Binding

Fixes

Use Slick Parameter Binding

Use Slick Lifted Embedding

Validate Request Data

SQL injection from public method string in raw SQL in Spring

SQL injection from HTTP request data in manual SQL string in Play

SQL Injection

Detect This Vulnerability in Your Code

SQL injection from request data in Slick SQL string in Play

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

String Interpolation in Slick Raw SQL

Missing Slick Parameter Binding

Fixes

Use Slick Parameter Binding

Use Slick Lifted Embedding

Validate Request Data

Related Vulnerabilities

SQL injection from public method string in raw SQL in Spring

SQL injection from HTTP request data in manual SQL string in Play

SQL Injection

Detect This Vulnerability in Your Code